Office applications Toolkit

Lockdown the desktop with policies

Tags:
Help Desk,
Viruses,
Lockdown,
Install

Jeff Davis Tech Republic

Published: 29 Apr 2003 10:57 BST

Do end users in your company call the help desk looking for assistance with applications unsupported by the company? Or worse, when your tech support analysts visit user workstations to troubleshoot, do they find problems are the result of the installation of unauthorised hardware?

If so, you've got trouble, my friends. When anybody in the company can install applications or add new hardware, the results include an undue burden on tech support, security breaches, loss or compromise of data, proliferation of viruses, and increased use (waste) of precious network bandwidth.

So what can you do to prevent end users from installing software or hardware? I can answer that question in just one word: policies.

Specifically, I recommend you establish written policies that define who can install what on company computers. Then, wherever possible, put in place network operating system policies that prevent users from breaching your written policies.

Whose call is it to lock down user machines?
Help desk managers have a duty to protect company assets by reporting any unauthorised software and hardware installations. But what specifically can the help desk manager do?

The answer depends on how your information technology department is staffed. In some shops, the same person who administers the network is also the person who oversees technical support operations. In other shops, the help desk manager may have to get buy-in from the network administrator to establish security policies or to physically lock down user machines.

No matter who has ultimate authority over the network, the help desk manager is usually the first person to learn about unauthorised installations. Users inevitably make the mistake of calling for help getting Quake to run on the network or installing the nifty new USB port they bought over the weekend. Help desk analysts should inform management as soon as they find out someone is installing (or trying to install) unauthorised applications and devices.

Written policies the help desk can sponsor
The problem with trying to tell people they can't do something is that they'll push back. They want to know why they can't just install whatever software or hardware they need on their machines. Without any policies in place, users may assume they can do whatever they darn well please, with or without help from the support team.

One way to eliminate confrontations with users is for the help desk manager to write policies that specifically outline what users can and cannot put on their machines. Put those policies through the normal corporate approval policy, publish the approved policies on the intranet and make sure departmental managers in the organisation get the word out to their teams.

Your policy statements don't have to be long-winded. Here are some samples that you can adapt to your shop:

The [Company] help desk department shall provide technical support and services only for those applications and devices that have been approved by the information technology department.
No software or hardware of any kind shall be installed on any [Company] desktop, laptop, or server computer without prior approval by the information technology department.
No unauthorised access or attempted access to the [Company] network via wireless connection of any kind is permitted. Wireless data connectivity is limited to evaluations or projects sponsored by the [Company] data network services team. Wireless access must be secured based on supporting standards.
Remote access to the [Company] network is granted only for legitimate business needs, and that access must conform to data security, audit, and regulatory requirements set forth in related policies and supporting standards.

You can sum up these policies in this way: "Nothing goes on company computers unless the information technology department has certified and approved its use, and nobody gets access to the network except by approved methods." To give such policies administrative teeth, you may want to define specific consequences or penalties for anyone who violates them. At the least, you should authorise the tech support staff to uninstall any unauthorised software or hardware whenever it's encountered.

Once policies are in place and have been communicated to end users, the help desk has an out that lets it refuse to provide support or help to an end user who does something against official company policy.

Go to section: